NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

jetcosys's avatar
jetcosys
Tutor
Jan 18, 2017
Solved

Cannot connect VPN with L2TP

Hi all! I've followed all the instructions I can find to setup L2TP VPN to connect to the FVS318Gv2 VPN from remote Windows 10 clients, but cannot seem to get it to work.  I followed the instruction...
Hardware
Installation
Troubleshooting
  • jetcosys's avatar
    jetcosys
    Jan 24, 2017

    Thanks!  Yes, changing to "Main" did allow VPN to connect.  Although I can't see the network resources, so something is messed up with my IP routing somewhere.  :(

     

    -Joe

train_wreck's avatar
train_wreck
Luminary
Jan 22, 2017

Set "Exchange Mode" to "Main" in your IKE policy. Also, you didn't post a screenshot of the "L2TP Server" page, I'm guessing it's been properly configured as well?

jetcosys's avatar
jetcosys
Tutor
Jan 24, 2017

Thanks!  Yes, changing to "Main" did allow VPN to connect.  Although I can't see the network resources, so something is messed up with my IP routing somewhere.  :(

 

-Joe

  • train_wreck's avatar
    train_wreck
    Luminary
    Jan 24, 2017

    What do you mean when you say you can't "see" network resources? Can you ping them?

    • jetcosys's avatar
      jetcosys
      Tutor
      Jan 25, 2017

      Spoke too soon.  VPN connects then disconnects shortly thereafter.  While connected I can't ping any resources on the network where VPN is connected.  I do get assigned one of the IP addresses in the pool for L2TP, but not sure how this translates to an IP address on the internal network I need to access shares on.  

       

      Here is the log from the disconnect:

      Tue Jan 24 20:24:39 2017 (GMT -0800): [FVS318Gv2] [IKE] ERROR: No policy found: 10.10.10.0/24[0] 192.168.69.1/32[0] proto=any dir=out
      Tue Jan 24 20:24:39 2017 (GMT -0800): [FVS318Gv2] [IKE] ERROR: No policy found: 192.168.69.1/32[0] 10.10.10.0/24[0] proto=any dir=in
      Tue Jan 24 20:24:39 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: 192.168.69.1 IP address has been released by remote peer.
      Tue Jan 24 20:24:39 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: KA remove: 96.x.x.x[4500]->108.x.x.x[4500]
      Tue Jan 24 20:24:39 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: ISAKMP-SA deleted for 96.x.x.x[4500]-108.x.x.x[4500] with spi:1c839229c40a79aa:0075e3770bb1bb68
      Tue Jan 24 20:24:38 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Ignoring request for negotiation to 108.x.x.x as Local is configured as Responder.
      Tue Jan 24 20:24:38 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Anonymous configuration selected for 108.x.x.x.
      Tue Jan 24 20:24:38 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Anonymous configuration selected for 108.x.x.x.
      Tue Jan 24 20:24:38 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Using IPsec SA configuration: anonymous
      Tue Jan 24 20:24:38 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=1c839229c40a79aa:0075e3770bb1bb68.
      Tue Jan 24 20:24:38 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] Purged IPsec-SA with proto_id=ESP and spi=2321133354(0x8a59af2a).
      Tue Jan 24 20:24:38 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: an undead schedule has been deleted: 'pk_recvupdate'.
      Tue Jan 24 20:24:38 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Deleting generated policy for 108.x.x.x[0]
      Tue Jan 24 20:19:35 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Transport 96.x.x.x->108.x.x.x with spi=2321133354(0x8a59af2a)
      Tue Jan 24 20:19:35 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Transport 108.x.x.x->96.x.x.x with spi=213507967(0xcb9df7f)
      Tue Jan 24 20:19:35 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Adjusting peer's encmode 4(4)->Transport(2)
      Tue Jan 24 20:19:35 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: No policy found, adjusting source address for generating the policy incase of NAT-T in Transport Mode: 108.x.x.x/32[1701] 96.x.x.x/32[1701] proto=udp dir=in
      Tue Jan 24 20:19:35 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: No policy found, generating the policy : 192.168.1.10/32[1701] 96.x.x.x/32[1701] proto=udp dir=in
      Tue Jan 24 20:19:35 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Using IPsec SA configuration: anonymous
      Tue Jan 24 20:19:35 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Responding to new phase 2 negotiation: 96.x.x.x[0]<=>108.x.x.x[0]
      Tue Jan 24 20:19:35 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Sending Informational Exchange: notify payload[608]
      Tue Jan 24 20:19:35 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: ISAKMP-SA established for 96.x.x.x[4500]-108.x.x.x[4500] with spi:1c839229c40a79aa:0075e3770bb1bb68
      Tue Jan 24 20:19:35 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: 192.168.69.1 IP address is assigned to remote peer 108.x.x.x[4500]
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: KA list add: 96.x.x.x[4500]->108.x.x.x[4500]
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Floating ports for NAT-T with peer 108.x.x.x[4500]
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: NAT detected: PEER
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: NAT-D payload does not match for 108.x.x.x[500]
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: NAT-D payload matches for 96.x.x.x[500]
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] ERROR: invalid DH group 19.
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] ERROR: invalid DH group 20.
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: For 108.x.x.x[500], Selected NAT-T version: RFC 3947
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Received unknown Vendor ID
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Received unknown Vendor ID
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Received unknown Vendor ID
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Received unknown Vendor ID

      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Received Vendor ID: RFC 3947
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Received Vendor ID: MS NT5 ISAKMPOAKLEY
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Received unknown Vendor ID
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Beginning Identity Protection mode.
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Received request for new phase 1 negotiation: 96.x.x.x[500]<=>108.x.x.x[500]
      Tue Jan 24 20:19:34 2017 (GMT -0800): [FVS318Gv2] [IKE] INFO: Anonymous configuration selected for 108.x.x.x[500].

       

      Based on the error it looks like I need a policy between the VPN network (192.168.69.0) to the LAN network (10.10.10.0)??

       

      Sorry, I'm quite the rookie on this.  :(

       

      -Joe

      • train_wreck's avatar
        train_wreck
        Luminary
        Jan 25, 2017

        what does "L2TP Server" config page look like?

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More